Potential Arbitrary DLL Load Using Winword

Apr 3, 2023 · attack.defense_evasion attack.t1202 ·

Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.

Sigma rule (View on GitHub)

 1title: Potential Arbitrary DLL Load Using Winword
 2id: f7375e28-5c14-432f-b8d1-1db26c832df3
 3related:
 4    - id: 2621b3a6-3840-4810-ac14-a02426086171
 5      type: obsoletes
 6status: test
 7description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
 8references:
 9    - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py
10author: Victor Sergeev, oscd.community
11date: 2020/10/09
12modified: 2023/03/29
13tags:
14    - attack.defense_evasion
15    - attack.t1202
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\WINWORD.exe'
22        - OriginalFileName: 'WinWord.exe'
23    selection_dll:
24        CommandLine|contains|all:
25            - '/l '
26            - '.dll'
27    condition: all of selection_*
28falsepositives:
29    - Unknown
30level: medium

References

One-Lin3r/one_lin3r/core/liners/windows/cmd/dll_loader_word.py at 9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6 · D4Vinci/One-Lin3r

Gives you one-liners that aids in penetration testing operations, privilege escalation and more - D4Vinci/One-Lin3r

Read More

Potential Arbitrary DLL Load Using Winword

Sigma rule (View on GitHub)

References

One-Lin3r/one_lin3r/core/liners/windows/cmd/dll_loader_word.py at 9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6 · D4Vinci/One-Lin3r

Related rules